Merge branch 'main' into release-agents-foundry

v-alje · v-alje · commit 0a0f75c50b2d · 2025-02-04T18:05:09.000Z
diff --git a/articles/ai-foundry/model-inference/includes/configure-entra-id/bicep.md b/articles/ai-foundry/model-inference/includes/configure-entra-id/bicep.md
@@ -100,6 +100,10 @@ Once you configured Microsoft Entra ID in your resource, you need to update your
 
 [!INCLUDE [about-credentials](about-credentials.md)]
 
+## Troubleshooting
+
+[!INCLUDE [troubleshooting](troubleshooting.md)]
+
 ## Disable key-based authentication in the resource
 
 Disabling key-based authentication is advisable when you implemented Microsoft Entra ID and fully addressed compatibility or fallback concerns in all the applications that consume the service. You can achieve it by changing the property `disableLocalAuth`:
diff --git a/articles/ai-foundry/model-inference/includes/configure-entra-id/cli.md b/articles/ai-foundry/model-inference/includes/configure-entra-id/cli.md
@@ -89,4 +89,8 @@ Once Microsoft Entra ID is configured in your resource, you need to update your
 
 [!INCLUDE [code](../code-create-chat-client-entra.md)]
 
-[!INCLUDE [about-credentials](about-credentials.md)]
+[!INCLUDE [about-credentials](about-credentials.md)]
+
+## Troubleshooting
+
+[!INCLUDE [troubleshooting](troubleshooting.md)]
diff --git a/articles/ai-foundry/model-inference/includes/configure-entra-id/portal.md b/articles/ai-foundry/model-inference/includes/configure-entra-id/portal.md
@@ -48,7 +48,6 @@ Follow these steps to configure Microsoft Entra ID for inference:
 
 Notice that key-based access is still possible for users that already have keys available to them. If you want to revoke the keys, in the Azure portal, on the left navigation, select **Resource Management** > **Keys and Endpoints** > **Regenerate Key1** and **Regenerate Key2**.
 
-
 ## Use Microsoft Entra ID in your code
 
 Once you configured Microsoft Entra ID in your resource, you need to update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
@@ -57,6 +56,10 @@ Once you configured Microsoft Entra ID in your resource, you need to update your
 
 [!INCLUDE [about-credentials](about-credentials.md)]
 
+## Troubleshooting
+
+[!INCLUDE [troubleshooting](troubleshooting.md)]
+
 ## Use Microsoft Entra ID in your project
 
 Even when your resource has Microsoft Entra ID configured, your projects may still be using keys to consume predictions from the resource. When using the Azure AI Foundry playground, the credentials associated with the connection your project has are used. 
@@ -79,7 +82,6 @@ To change this behavior, you have to update the connections from your projects t
 
 7. Your connection is configured to work with Microsoft Entra ID now.
 
-
 ## Disable key-based authentication in the resource
 
 Disabling key-based authentication is advisable when you implemented Microsoft Entra ID and fully addressed compatibility or fallback concerns in all the applications that consume the service.
diff --git a/articles/ai-foundry/model-inference/includes/configure-entra-id/troubleshooting.md b/articles/ai-foundry/model-inference/includes/configure-entra-id/troubleshooting.md
@@ -0,0 +1,20 @@
+---
+manager: nitinme
+author: santiagxf
+ms.author: fasantia 
+ms.service: azure-ai-model-inference
+ms.date: 01/23/2025
+ms.topic: include
+---
+
+The following table contains multiple scenarios that can help troubleshooting Microsoft Entra ID:
+
+| Error / Scenario     | Root cause    | Solution |
+| -------------------- | ------------- | -------- |
+| You're using an SDK. | Known issues. | Before making further troubleshooting, it's advisable to install the latest version of the software you are using to connect to the service. Authentication bugs may have been fixed in a newer version of the software you're using. |
+| `401 Principal does not have access to API/Operation` | The request indicates authentication in the correct way, however, the user principal doesn't have the required permissions to use the inference endpoint. | Ensure you have: <br /> 1. Assigned the role **Cognitive Services User** to your principal to the Azure AI Services resource. <br /> 2. Wait at least 5 minutes before making the first call. |
+| `401 HTTP/1.1 401 PermissionDenied` | The request indicates authentication in the correct way, however, the user principal doesn't have the required permissions to use the inference endpoint. | Assigned the role **Cognitive Services User** to your principal in the Azure AI Services resource. Roles like **Administrator** or **Contributor** don't grand inference access. Wait at least 5 minutes before making the first call. |
+| You're using REST API calls and you get `401 Unauthorized. Access token is missing, invalid, audience is incorrect, or have expired.` | The request is failing to perform authentication with Entra ID. | Ensure the `Authentication` header contains a valid token with a scope `https://cognitiveservices.azure.com/.default`. |
+| You're using `AzureOpenAI` class and you get `401 Unauthorized. Access token is missing, invalid, audience is incorrect, or have expired.` | The request is failing to perform authentication with Entra ID. | Ensure that you are using an **OpenAI model** connected to the endpoint `https://<resource>.openai.azure.com`. You can't use `OpenAI` class or a Models-as-a-Service model. If your model is not from OpenAI, use the Azure AI Inference SDK. |
+| You're using the Azure AI Inference SDK and you get `401 Unauthorized. Access token is missing, invalid, audience is incorrect, or have expired.` | The request is failing to perform authentication with Entra ID. | Ensure you're connected to the endpoint `https://<resource>.services.ai.azure.com/model` and that you indicated the right scope for Entra ID (`https://cognitiveservices.azure.com/.default`). |
+| `404 Not found` | The endpoint URL is incorrect based on the SDK you are using, or the model deployment doesn't exist. | Ensure you are using the right SDK connected to the right endpoint: <br /> 1. If you are using the Azure AI inference SDK, ensure the endpoint is `https://<resource>.services.ai.azure.com/model` with `model="<model-deployment-name>"` in the payloads, or endpoint is `https://<resource>.openai.azure.com/deployments/<model-deployment-name>`. <br /> If you are using the `AzureOpenAI` class, ensure the endpoint is `https://<resource>.openai.azure.com`. |
diff --git a/articles/ai-services/openai/azure-government.md b/articles/ai-services/openai/azure-government.md
@@ -12,14 +12,14 @@ recommendations: false
 
 # Azure OpenAI Service and features in Azure Government
 
-This article highlights the differences when using Azure OpenAI in Azure Government as compared to the commercial cloud offering. If not specified, the Azure OpenAI model or feature should be assumed to be not available in the Azure Government environment. Learn more about the Azure OpenAI Service itself in [Azure OpenAI Service documentation](/azure/ai-services/openai/).
+This article highlights the differences when using Azure OpenAI in Azure Government as compared to the commercial cloud offering. Learn more about the Azure OpenAI Service itself in [Azure OpenAI Service documentation](/azure/ai-services/openai/).
 <br><br>
 
 ## Azure OpenAI models
 
 Learn more about the different capabilities of each model in [Azure OpenAI Service models](./concepts/models.md). For customers with [Business Continuity and Disaster Recovery (BCDR) considerations](./how-to/business-continuity-disaster-recovery.md), take careful note of the deployment types, regions, and model availability as not all model/type combinations are available in both regions. 
 
-The following sections show model availability by region and deployment type. Models and versions not listed are not currently available in Azure Government. 
+The following sections show model availability by region and deployment type. Models and versions not listed are not currently available in Azure Government. For general limits, quotas, and other details refer to [Azure OpenAI Service quotas and limits](/azure/ai-services/openai/quotas-limits/). 
 
 <br>
 
diff --git a/articles/ai-studio/how-to/configure-private-link.md b/articles/ai-studio/how-to/configure-private-link.md
@@ -272,7 +272,7 @@ If your storage account is private (uses a private endpoint to communicate with
     | `Storage Blob Data Contributor` | Azure AI Search | Storage Account | Read blob and write knowledge store | [Search doc](/azure/search/search-howto-managed-identities-data-sources). |
 
     > [!TIP]
-    > Your storage account may have multiple private endpoints. You need to assign the `Reader` role to each private endpoint.
+    > Your storage account may have multiple private endpoints. You need to assign the `Reader` role to each private endpoint for your Azure AI Foundry project managed identity.
 
 1. Assign the `Storage Blob Data reader` role to your developers. This role allows them to read data from the storage account.
 
diff --git a/articles/machine-learning/concept-train-model-git-integration.md b/articles/machine-learning/concept-train-model-git-integration.md
@@ -30,7 +30,7 @@ When you submit an Azure Machine Learning training job that has source files fro
 
 Azure Machine Learning provides a shared file system for all users in a workspace. The best way to clone a Git repository into this file share is to create a compute instance and [open a terminal](./how-to-access-terminal.md). In the terminal, you have access to a full Git client and can clone and work with Git by using the Git CLI. For more information, see [Git CLI](https://git-scm.com/docs/gitcli).
 
-You can clone any Git repository you can authenticate to, such as a GitHub, Azure Repos, or BitBucket repo. It's best to clone the repository into your user directory, so that other users don't collide directly on your working branch.
+You can clone any Git repository you can authenticate to, such as a GitHub, Azure Repos, or Bitbucket repo. It's best to clone the repository into your user directory, so that other users don't collide directly on your working branch.
 
 There are some differences between cloning to the local file system of the compute instance or cloning to the shared file system, mounted as the *~/cloudfiles/code/* directory. In general, cloning to the local file system provides better performance than cloning to the mounted file system. However, if you delete and recreate the compute instance, the local file system is lost, while the mounted shared file system is kept.
 
@@ -87,7 +87,7 @@ Add the SSH key to your Git account by using the following instructions, dependi
   - [GitHub](https://docs.github.com/github/authenticating-to-github/adding-a-new-ssh-key-to-your-github-account#adding-a-new-ssh-key-to-your-account)
   - [GitLab](https://docs.gitlab.com/ee/user/ssh.html#add-an-ssh-key-to-your-gitlab-account)
   - [Azure DevOps](/azure/devops/repos/git/use-ssh-keys-to-authenticate#step-2-add-the-public-key-to-azure-devops)
-  - [BitBucket](https://support.atlassian.com/bitbucket-cloud/docs/configure-ssh-and-two-step-verification/)
+  - [Bitbucket](https://support.atlassian.com/bitbucket-cloud/docs/configure-ssh-and-two-step-verification/)
 
 ### Clone the Git repository with SSH
 
diff --git a/articles/search/search-sku-tier.md b/articles/search/search-sku-tier.md
@@ -62,7 +62,6 @@ Currently, several regions are capacity-constrained for specific tiers and can't
 | France Central | Basic, S1| Sweden Central, Switzerland North|
 | North Europe | All tiers | Sweden Central, Switzerland North|
 | West Europe | All tiers | Sweden Central, Switzerland North|
-| US Gov Virginia | All tiers | US Gov Arizona |
 
 ## Feature availability by tier
 
